It was discovered that the Apache web server did not properly handlethe "Options=" parameter to the AllowOverride directive:

In the stable distribution (lenny), local users could (via .htaccess)enable script execution in Server Side Includes even in configurationswhere the AllowOverride directive contained onlyOptions=IncludesNoEXEC.

In the oldstable distribution (etch), local users could (via.htaccess) enable script execution in Server Side Includes and CGIscript execution in configurations where the AllowOverride directivecontained any "Options=" value.

For the stable distribution (lenny), this problem has been fixed inversion 2.2.9-10+lenny3.

The oldstable distribution (etch), this problem has been fixed inversion 2.2.3-4+etch8.

For the testing distribution (squeeze) and the unstable distribution(sid), this problem will be fixed in version 2.2.11-6.

This advisory also provides updated apache2-mpm-itk packages whichhave been recompiled against the new apache2 packages (except for thes390 architecture where updated packages will follow shortly).

We recommend that you upgrade your apache2 packages.

Upgrade instructions- --------------------

wget url will fetch the file for youdpkg -i file.deb will install the referenced file.

If you are using the apt-get package manager, use the line forsources.list as given below: